To prove this point, a team of investigative journalists from the Canadian Broadcasting Corporation’s (CBC) Marketplace program contacted Appthority as a trusted enterprise mobile security company to help them conduct a field study. The team wanted to see how easy it was to build an innocent looking app that could gain access to a wide range of personal data and then how easy it was to get people to download the app away from an approved app store and give it permission to access their data. By later revealing the info the app had collected, the CBC team and Appthority hope to create awareness about the risks inherent in mobile apps and the rampant ignorance around mobile security.

The CBC team had an idea to build a simple app folks would use daily during the one week field study, and opted to develop a daily horoscope app. The Appthority Mobile Threat Team (MTT) knew that a popular attack vector bad actors leverage is inserting malicious code into otherwise benign apps, and decided this would be the best course of action. The CBC team was surprised at just how easy it was to create a spying app. Our MTT researchers were quickly able to use an off-the-shelf Android spyware called DroidJack and insert it into the horoscope app, and voila… step 1 of the project was complete. The team now had an app that could give users their daily horoscope, but would also read all of their SMS and email messages, listen in on calls, see pictures and videos, record audio or video at any time, and serve as the perfect 24/7 spy tool. [For a more in depth look at how the team built the app, and how easy it was to defeat the native Android antivirus engines from detecting the spyware, please read our technical blog here.]

Step 2: Distributing the app

The team hosted the app on a 3rd party private server and only gave access to the participants of the study. Both the CBC and Appthority wanted to make sure the field test was implemented in a secure, controlled environment and wanted to showcase the risks of downloading from unofficial app sources which have not gone through the security vetting that Apple and Google provide in their official app stores. While our security measures were unique, this distribution method was not a theoretical or academic one. A recent Android malware campaign called Gooligan compromised over 1 million Google accounts. Gooligan was found on 86 infected apps available for download in third-party stores, and can root 74% of devices.

Step 3: Finding the subjects

The CBC team then hit the streets of Toronto to find folks who’d be willing to try out their new horoscope app. Ten out of ten people they asked happily installed the app. Ten out of ten ignored the built in warnings Android devices give you when trying to install apps from 3rd party sources. Ten out of ten failed to read the privacy policy, where CBC disclosed everything the study would do and all of the information they’d be able to collect. Thus, ten out of ten subjects willingly but unknowingly installed spyware onto their mobile devices.

Step 4: Harvesting data

The CBC team was shocked at how much data the app was able to collect. One journalist described it as “creepy” when she realized just how much personal information could be collected from a mobile app given how intimate we all are with our phones. After all, these devices are always on, with us everywhere, and have cameras, microphones, and are used for the majority of our conversations via SMS, email, chat, and phone. Needless to say, the CBC team had to be careful not to collect anything too personal. They collected just enough to shock each subject when the truth was revealed.

Step 5: The reveal

When the CBC team went back to those who downloaded the app, the consensus was “It’s disturbing.” According to a CBC post on the topic, “the most shocking app permission for one of the testers, Shahbaz, was the ability to turn on his camera and microphone unprompted. “I should have read those terms and conditions,” he said.”

Each of the users was visibly shocked by what they had shared via the app, but grateful for learning about the consequences of mobile risks in a secure field study rather than out in the wild. Unfortunately, it often takes an eye opening experience to change our habits for the better, and both the CBC and Appthority hope the story of these ten subjects serve as a warning to millions of others. [For tips on secure smartphone use, see this companion video from the CBC].

Step 6: The cleanup

All data collected, apps used, and even servers used in the study were completely deleted at the conclusion of the field test.

So, what does this mean for enterprise security?

The key takeaway for enterprises from this field study is that employees are consumers too. And, as much as we’d like to think that employees are following enterprise security best practices all of the time with the devices they use in their work and personal lives, they are not. Mobile users make choices every day that impact an enterprise’s security profile. As shown in the field study, they don’t always make the best security choices for themselves. Further, in a world connected by mobile, users often share things they like, including risky apps. An employee that sideloaded our example spyware app, could easily have shared it with work colleagues and, in so doing, created a spy network in your corporation, recording all conversations, streaming live video, etc.

Both personal and corporate data are targeted in mobile security attacks and, as more work is done via mobile, the risk to enterprise data grows. But, while mobile adoption in the enterprise keeps up its explosive growth, mobile security projects are severely underfunded. As PWC puts it, at the very least, enterprises should strive to not be the “low-hanging fruit” for attackers by investing in comprehensive mobile threat protection.